The entertainment industry is in the midst of a digital revolution. Music, television, and movies are increasingly becoming digital, offering new advantages to the consumer in quality and flexibility. At the same time, since digital data can be perfectly and quickly copied, the digital revolution also comprises a threat. If consumers may freely copy entertainment content and offer that content on the Internet, the market for entertainment content may evaporate.
The widespread transition of data from analog format to digital format has exacerbated problems relating to unauthorized copying and redistribution of protected digital content. Flawless copies of content can be easily produced and distributed via the Internet or on physical media. This piracy is a major concern and expense for content providers; to this end, industry consortia have been formed. These groups are licensing agencies that provide content protection tools based on Content Protection for Recordable Media (CPRM) and Advanced Access Content System (AACS), respectively. CPRM is a technology developed and licensed by the 4C group, comprising IBM, Intel, Matsushita, and Toshiba, to allow consumers to make authorized copies of commercial entertainment content where the copyright holder for such content has decided to protect it from unauthorized copying. AACS is a follow-on technology for the same purpose, under development by a group comprising IBM, Intel, Matsushita, Toshiba, Sony, Microsoft, Warner Brothers, and Disney.
CPRM and AACS protected files are encrypted with a key that is specific to a media identifier on the original storage medium (such as a DVD or CD-ROM etc.) of the protected file. Consequently, simply copying the content to another storage medium does not break the protection. The essential building block for CPRM and AACS is structure called a media key block (MKB) that is distributed together with the content. The MKB is a file containing encryptions of a single media key by a large number of keys known by compliant devices.
Each individual compliant device is assigned a set of unique device keys that allow it to decrypt the MKB and obtain the media key from the MKB. The media key is then combined with the media identifier and other values to derive a title key used to decrypt the protected digital content. If a device is revoked, using its device key to decrypt MKB will get garbage instead of a valid media key. By this method, revocation is performed in a typical content protection system such as CPRM and AACS. Details of the CPRM and AACS technology are provided in the applications incorporated by reference and are also available from 4C and AACS.
The cryptographic keys required to indirectly encrypt and decrypt the content are distributed from a key generation facility to device manufacturers and burn-into devices. Maintaining the secrecy of the cryptographic keys is essential for maintaining the integrity of a secure content protection scheme. For example, the device keys assigned to each device must be kept highly confidential. The consequences of accidental or malicious disclosure of the long-lived secret keys are grave; loss of these secrets can lead total breakdown of the copy protection schemes the secrets support and to potentially huge monetary loss for the participants of the copy protection scheme.
Fundamentally, the AACS protection depends on the interaction between tree-based device keys and the media key block [reference is made to Naor et al., “Revocation and Tracing schemes for stateless receivers”, CRYPTO 2001, and to U.S. Pat. No. 7,039,803], which allows unlimited, precise cryptographic revocation of compromised devices without danger of collateral damage to innocent devices. One possible pirate attack on this system is that attackers reverse-engineer their devices, extract device keys from the devices, and build a clone device using those extracted device keys. To defend against this type of pirate attack and identify which devices are involved in building the clone device, forensic MKBs are carefully crafted. The forensic MKB is a special purpose MKB that is applied to the clone device. The outcome of applying the forensic MKB to the clone device is observed. After a sequence of applied forensic MKBs and observed outcomes, one can deduce which device keys are used in the clone device. Once the device keys are identified, they can be revoked in the newly-produced MKBs. In the art, finding which devices are involved in building the clone device is called “traitor tracing”.
Another type of pirate attack in the above content protection system is an anonymous attack, wherein an attacker or group of attackers tries to hide their secret device keys and operate anonymously. In this attack, the attackers instrument their devices and collude to build a pirate copy of the decrypted plaintext content or the decryption key itself. The attackers can then redistribute the plaintext content or the decryption key. How does one know which devices are involved in constructing the pirate copy when the pirate copy is recovered? One solution is to differently watermark and differently encrypt each movie for each authorized device so that the watermarking and encryption information uniquely identifies the compromised box. Alas, this solution is not feasible because of the excessive computing effort and transmission bandwidth required to prepare and transmit individualized movies. The distribution system is economical only if the movies can be distributed over broadcast channels; i.e., every receiver gets substantially the same data at the same time.
In the art, there is another type of traitor tracing technology that is used to identify which devices are involved in constructing the pirate copy of the content. In one particular instance of this approach, an original version of each movie file is augmented before being broadcast. Specifically, the file that is actually broadcast has had at least one critical file segment replaced by a set of segment variations. Each file segment variation is differently encrypted and also differently watermarked prior to encryption, although the entire file may be watermarked as well. All the variations in one segment are identical for viewing purposes though digitally different. A particular receiver using an assigned secret cryptographic key can decrypt only one of the variations in each segment. All legitimate receivers with valid secret keys can play the content through different segment combinations. If the receiver is compromised and is used to illegally rebroadcast either the keys or the segments themselves, it is possible to deduce which receiver or receivers have been compromised after recovering a sufficient number of pirated content or keys.
After the devices involved in the anonymous attack are identified, the device keys associated with these devices can be revoked in future content releases. To enable revocation, a structure similar to the MKB is used. For example, in AACS, the assigned secret cryptographic keys that enable traitor tracing for anonymous attack are called sequence keys, similar to device keys. The structure that can incorporate revocation information is called a sequence key block (SKB). Any compliant device can use its valid sequence key to process the SKB and obtain a key that can indirectly decrypt the content.
Although conventional traitor tracing technology has proven to be useful, it would be desirable to present additional improvements. Current content protection systems such as AACS utilize two separate systems, the media key block and the sequence key block. The media key block is tree-based and is used to thwart an attack in which a clone device is constructed from a set of pirated device keys. The clone device can be illegally used to copy copyrighted content and can be sold on the black market. The sequence key block is matrix-based, and is used to thwart an attack in which sequence keys, title keys, or an entire decrypted movie is re-distributed. Utilizing two separate systems requires additional storage on media and calculation by the media device, affecting performance of a digital content system.
Furthermore, deploying two separate systems is inefficient and time consuming. Using media key blocks to revoke traitors provides good revocation provided that traitors can be identified when clone devices are recovered. However, this type of tracing based on forensic MKBs may take an excess amount of time and the scheme can be overwhelmed. On the other hand, using sequence key blocks provides good tracing, but revocation is limited. Further, as sequence keys are revoked in the sequence key block, tracing capability is degraded.
What is therefore needed is a system, a service, a computer program product, and an associated method for performing unified broadcast encryption and traitor tracing for digital content that combines sequence key protection with a media key block, providing a more efficient and simpler approach for tracing and revoking traitors. The need for such a solution has heretofore remained unsatisfied.